osu/Lucky Roll gaming
周末osu有道题:lcg已知低位
def lcg(s, a, b, p):
return (a * s + b) % p
p = getPrime(floor(72.7))
a = randrange(0, p)
b = randrange(0, p)
seed = randrange(0, p)
print(f"{p = }")
print(f"{a = }")
print(f"{b = }")
def get_roll():
global seed
seed = lcg(seed, a, b, p)
return seed % 100
out = []
for _ in range(floor(72.7)):
out.append(get_roll())
print(f"{out = }")
flag = open("flag.txt", "rb").read()
key = bytes([get_roll() for _ in range(16)])
iv = bytes([get_roll() for _ in range(16)])
cipher = AES.new(key, AES.MODE_CBC, iv)
print(cipher.encrypt(pad(flag, 16)).hex())
题目很短,先给出lcg的参数,然后输出72个seed%100的值,后边是AES不是重点。
从网上搜到一例是给出高位的:crypto-babyLCG(NPUCTF2020)_lcg已知低位-CSDN博客
名字上是低位实际上是高位。共128位已知高64位。转出来式子:
从式子上看泄露部分跟高位还是低位无关,所以构造格是完全相同的。
m = 4420073644184861649599
a = 1144993629389611207194
b = 3504184699413397958941
l = [0,39, 47, 95, 1, 77, 89, 77, 70, 99, 23, 44, 38, 87, 34, 99, 42, 10, 67, 24, 3, 2, 80, 26, 87, 91, 86, 1, 71, 59, 97, 69, 31, 17, 91, 73, 78, 43, 18, 15, 46, 22, 68, 98, 60, 98, 17, 53, 13, 6, 13, 19, 50, 73, 44, 7, 44, 3, 5, 80, 26, 10, 55, 27, 47, 72, 80, 53, 2, 40, 64, 55, 6]
enc = '34daaa9f7773d7ea4d5f96ef3dab1bbf5584ecec9f0542bbee0c92130721d925f40b175e50587196874e14332460257b'
A = [1]
B = [0]
for i in range(1, len(l)-1):
A.append(a*A[i-1] % m)
B.append((a*B[i-1]+(a*l[i]+b-l[i+1])*inverse_mod(100,m)) % m)
A = A[1:]
B = B[1:]
dim = len(l)
M = matrix(ZZ, dim, dim)
for i in range(dim-2):
M[i, i] = m
M[-2, i] = A[i]
M[-1, i] = B[i]
M[i, -2] = M[i, -1] = 0
M[-2,-2] = 1
M[-1,-1] = m//100 #高位的规模 格与高低位无关,但需要未知部分明显小于模
ll = M.LLL()[0]
l1 = ll[-2]
h1 = l[1]
s1 = l1*100+h1
#for s1=a*seed+b%m
seed = ((s1-b)*inverse_mod(a,m))%m
print(seed)
def get_roll():
global seed
seed = (seed*a+b)%m
return int(seed % 100)
seed = 728664259414514712557
out = []
for _ in range(floor(72.7)):
out.append(get_roll())
key = bytes([get_roll() for _ in range(16)])
iv = bytes([get_roll() for _ in range(16)])
from Crypto.Cipher import AES
cipher = AES.new(key, AES.MODE_CBC, iv)
print(cipher.decrypt(bytes.fromhex(enc)))
#osu{w0uld_y0u_l1k3_f1r5t_0r_53c0nd_p1ck}
第2题来自gcc ctf
GCC/TooManyLeaks
题目也很短给出g,A=2^a,B=2^b,c,AC=2^(a+c),s = B^a,s2=AC^b 其中s,s2仅给出高257位
再通过r1,r2分别是s1,s2的高位得到
从rec师傅那问到构造方法(前边自己想的几个都没成功)
用自制的数据验证得到的结果:第1个是-x但后边并不是y,y通过计算得到
p=12659765344651740648724763467724826993725936263366951091039118416195292099370631377712042960634433459603684366298668316118798753725083109726606307230709481
A=3301451331273103822833339817189898484477574460332521541023442766617163003861277567173209945681794302860954824946103841799431004692332025577336344394695314
B=4585794959794770660643739179463936175470737153250504109915159478661133411133496952267060123069524419032124459912888910847574766484421490926652243218962165
r1=2568748433813321161874639775621008976218176085243148442053880160521563872123950485879781803171876295709491228751046125319137014580919198982132588104122368
c=13305825506775525477695274133373660177357107668926266252207560823721404224069651345842091298405541700114875323083835571095924844005731356668708175418706451
AC=7245241643057289361660908682282370311759108862519890618466911853745311287850476739612486696335989486506224784314474292337315512082870292214611222140900864
r2=3829741721947473719324421527352078984331611168371079834096760630101921404398331513243772077101441758022492336098369985623504441570880895898971858238701568
ciphertext = bytes.fromhex('89c372210be2a7b313366206f7426f941157009493d00fcb18b467250139413b6ea1ada6302e1916b6c02a6f935f4ed4')
iv = bytes.fromhex('c7d192fb72b529acf7b57d488c182466')
'''
A = 2^a ,B = 2^b ,AC = 2^(a+c)
s = B^a = 2^(ab) => r1+x = 2^(ab)
s2 = AC^b = 2^(ab+bc) = 2^ab * 2^bc = s * B^c => r2 + y = (r1+x)*BC = r1*BC + x*BC
-x + y*BC+ r1*BC - r2 = 0 mod p
|1 0 BC|
|0 1 R |.LLL() = |y k x|
|0 0 p |
'''
BC = pow(B,c,p)
R = int((r1*BC-r2)%p)
M = matrix(ZZ,[[1,0,BC],[0,2^255,R],[0,0,p]])
L = M.LLL()
'''
[ -25633356745769628425188974048965624683829363674340702376652630056616274263520 0 25192355301191283908458965869175850121091834483889075955116860140524780856947]
[ 16398029187545116410379158779174289772216017281301637621417139570711691284296 57896044618658097711785492504343953926634992332820282019728792003956564819968 41036197941114149842214882116707031982582245609637689544867914273576525805038]
[-149510885595142246734642323500819848441581984553636254311696365107836707555515 173688133855974293135356477513031861779904976998460846059186376011869694459904 -175483554550299102224589434426378557989582203738521393133765379465260896275103]
'''
for v in L:
x,k,y = v
y.nbits()
x.nbits()
hex(x)
hex(y)
x = 25633356745769628425188974048965624683829363674340702376652630056616274263520
#y = BC*(r1+x)%p-r2
y = 41036197941114149842214882116707031982582245609637689544867914273576525805038
#0x5ab9aa3a0a42183deb14e8725ef711b906ecc058e8be025b04d2d5322104b5ee
s = r1+x
#0x310bc7e26b23c79469a5c1eb7b210f527af22ba0d17726051cd95216d6cdfd862440f4a33747fa708f7b878e6b882f164a2e7cf72cc2b67754c416a3fc6c4f48
import hashlib
from Crypto.Cipher import AES
sha1 = hashlib.sha1()
sha1.update(str(s).encode('ascii'))
key = sha1.digest()[:16]
cipher = AES.new(key, AES.MODE_CBC, iv)
flag = cipher.decrypt(ciphertext)
#b'GCC{D1ff13_H3llm4n_L34k_15_FUn!!}\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0f'